Jump to content

Recommended Posts

I believe I got this from visiting the "lto.org" web site. Some kind of XP anti-spyware looking malware.

Ran Malwarebytes, quick scan & then full scan on the C: drive.

local (this PC) admin seemed OK, but my Windows domain account could not & still can't run ".exe" programs. Can't run cmd (which is a .exe). When I double-click on a menu item,

like firefox or thunderbird, or try to start-run cmd, I get the what program do you what to run this with dialog. Just for the user account, not admin.

The registry seems to look OK, when I tried safe mode and running regedit.exe.

Looked at some of the postings, & tried combofix. Did not help.

Any suggestions?

Whether I can be helped or not, thanks to MB for this forum and all the help everyone provides!

--

David Strom

First quick scan:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6609

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5/18/2011 9:17:00 AM

mbam-log-2011-05-18 (09-17-00).txt

Scan type: Quick scan

Objects scanned: 239812

Time elapsed: 2 minute(s), 19 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

c:\documents and settings\dstrom\local settings\application data\tcq.exe (Trojan.ExeShell.Gen) -> 1848 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\dstrom\Local Settings\Application Data\tcq.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\dstrom\Local Settings\Application Data\tcq.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\dstrom\Local Settings\Application Data\tcq.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Documents and Settings\dstrom\Local Settings\Application Data\tcq.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\dstrom\local settings\application data\tcq.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\dstrom\local settings\Temp\jar_cache8950804173939397347.tmp (Malware.Gen) -> Quarantined and deleted successfully.

*******Full Scan follows ************

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6609

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/18/2011 10:23:10 AM

mbam-log-2011-05-18 (10-23-10).txt

Scan type: Full scan (C:\|)

Objects scanned: 390531

Time elapsed: 34 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{a15cee10-6b79-49d9-82b9-f22dce155ec0}\RP696\A0045696.exe (Malware.Gen) -> Quarantined and deleted successfully.

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs for these tools, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Run a new MBAM scan being sure to update it before running.

Link to post
Share on other sites

Full scan on C: drive below. I'm using the local admin account & it works OK. Just my login (AD domain ) cannot run exe files.

Thanks.

--

Dave

Scan output:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6627

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/20/2011 11:52:30 AM

mbam-log-2011-05-20 (11-52-30).txt

Scan type: Full scan (C:\|)

Objects scanned: 387200

Time elapsed: 30 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Vista / Win7 users:

1. These tools MUST be run from the executable. (.exe)

2. With Admin Rights (Right click, choose "Run as Administrator") every time you run them

1) exeHelper

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Let me know if that fixed the exe files

Link to post
Share on other sites

Hey, my AD login works now!

Thank you very much! Good Karma to all of you for your good work!

--

David Strom

EXE helper log, per request:

exeHelper by Raktor

Build 20100414

Run at 09:36:29 on 05/23/11

Now searching...

Checking for numerical processes...

Checking for sysguard processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

Link to post
Share on other sites

Another scan of the C: drive below.

Clean. <sigh of relief>

--

Dave

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6654

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/23/2011 1:43:40 PM

mbam-log-2011-05-23 (13-43-40).txt

Scan type: Full scan (C:\|)

Objects scanned: 388405

Time elapsed: 30 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.